On Mac OS X Viruses

I usually find the security-related smugness of Mac users rather jarring. What’s often even more jarring is the reasoning behind such smugness. That said, I have to say that the recent furor regarding the so called OSX.Macarena “virus” amounts to, well, bullshit. If anti-virus companies are pretending to “recognize the threat” and therefore attempting to “increase awareness” by supporting the propagation of FUD, that’s not right, albeit understandable (viruses being relevant to their business and all). Far too many people use computers but far too few understand computers. This imbalance makes the situation quite lucrative for some.

According to an official “Technical Details” document, when OSX.Macarena is executed, it performs the following actions:

  1. Infects other files when they are executed in the current directory, regardless of file name or extension.

Let us get some context in here. Let me quote something from one of my old writings on Unix viruses:

Unix has the reputation of being “not so buggy,” and of being a good maintainer of system sanctity via good protection mechanisms (in particular, a supervisor mode that is supposed to be very hard to attain for a non-super-user).

You do not need to exploit bugs in an operating system to have viruses. Essentially all operating systems provide prerequisites for supporting a computer virus. Similarly, supervisor mode is not necessary for viral activity, and in any case, supervisor mode may be obtained through virus-unrelated security holes. Moreover, the number of reported viruses on a particular platform is not an indicator of the feasibility (either way) of viruses on that platform.

A typical definition of a computer virus might have aspects such as the following:

  • A virus attacks specific file types (or files).
  • A virus manipulates a program to execute tasks unintentionally.
  • An infected program produces more viruses.
  • An infected program may run without error for a long time.
  • Viruses can modify themselves and may possibly escape detection this way.

Note that none of the above requirements is automatically ruled out on Unix.

Well, Unix viruses are hardly new. Fred Cohen, who pioneered the formal definition and study of computer viruses, implemented a Unix virus in 1983. The virus ran on a VAX 11/750 system. Dennis Ritchie, one of the inventors of UNIX, had the following to say about Unix viruses:

“A few years ago Tom Duff created a very persistent UNIX virus. At that point we had about 10-12 8th or 9th edition VAX 750s networked together. The virus lived in the slack space at the end of the executable, and changed the entry point to itself. When the program was executed, it searched the current directory, subdirectories, /bin, /usr/bin for writable, uninfected files and then infected them if there was enough space.”

Does that sound familiar? This was in the late 1980s.

In reaction to a similar controversy as we are talking about now, I wrote a portable “Unix virus” as a trivial C program many, many years ago. I called it the Jingle Bell Virus since I wrote it in the Bell Labs cafeteria at Murray Hill, NJ. Jingle Bell attaches itself to the first executable found on the command line. Of course, you can configure the infection scheme to whatever you want. You can read Jingle Bell’s source code and also “see it in action” on the following page:

Somebody has even trivially ported Jingle Bell to the Plan 9 operating system. You can find it in one of the contrib subdirectories within the Plan 9 source distribution. You can just as easily port it to Mac OS X (by “easily”, I mean change the value of the constant V_OFFSET in the code and recompile—that’s it).

What this newborn Mac OS X virus essentially demonstrates is merely a manifestation of how operating systems work. Portraying this as a newly found threat is just not right, at least if you do so without clarifying that this is how operating systems work; you can do this on any operating system in general; you could do this on ancient UNIX; the real threat is not every such individual program but flaws that might allow such malware to spread; and so on. And no, the fact that this particular one does its job by mucking with Mach-O structures doesn’t justify the terror alarm. What’s next? Saying that “Mac OS X allows sensitive information to be leaked (because you can read files on Mac OS X)”? Wouldn’t it be far more worthy and worthwhile to point out and address real vulnerabilities in Mac OS X?

To be fair, if there indeed is no FUD involved and the parties involved are truly well meaning, now that I’ve made Jingle Bell public (well, I made it public many years ago and the relevant page has been accessed hundreds of thousands of times), shouldn’t it also be on the anti-virus lists for all operating systems it can be compiled on? While we are at it, we should also read all relevant academic papers and include any viruses found therein too.

It should not be any harder to write a virus for Unix (and Mac OS X) than it would be for any other system. However, spreading a virus would have different logistics on Unix as compared to, say, Windows. Given the default usage scenarios (note that I’m not saying design or architecture) of Windows and Unix, it is generally harder to spread such things on Unix. That said, Mac OS X does have some potentially very troublesome aspects. (Think about what an admin user on Mac OS X can do—by default—in terms of file permissions.) So, I am not saying everything is rosy and wonderful for Mac OS X. Please be wary of that creeping smugness.

Rather than repeat many other details here, let me refer those interested in the history and nature of digital life forms to some more things I have written in the past:

All these are sections within the following bigger document:

Besides these, there is an abundance of academic papers and articles on computer viruses and worms. Just search.

Comments are closed.

All contents of this site, unless otherwise noted, are ©1994-2014 Amit Singh. All Rights Reserved.